phpMyFAQ SVG Sanitizer Bypass Vulnerability Leading to Stored Cross-Site Scripting and Privilege Escalation

A vulnerability exists in phpMyFAQ versions prior to 4.1.1, where the regex-based SVG sanitizer can be bypassed using HTML entity encoding in 'javascript:' URLs within SVG '<a href>' attributes. This flaw allows users with 'edit_faq' permission to upload malicious SVG files that execute arbitrary JavaScript when viewed. The vulnerability enables privilege escalation from editor to full admin takeover.

Impact

Exploitation of this vulnerability leads to stored cross-site scripting, allowing uploaded SVGs to execute JavaScript in the context of the user viewing the image. This could be used to create backdoor admin accounts or exfiltrate sensitive information such as database credentials and API tokens.

Reproduction

To reproduce this vulnerability, log into the phpMyFAQ admin panel with an account that has 'edit_faq' permission. Navigate to the 'Add New FAQ' section and upload a crafted SVG file through the image upload feature. Once the SVG is uploaded, it can be accessed via its URL, where the embedded JavaScript will execute. For privilege escalation, a more complex SVG can be uploaded that, when clicked by an admin, creates a backdoor admin account.

Remediation

Users are advised to update to phpMyFAQ version 4.1.1 or later, and to consider replacing the regex-based SVG sanitization with a DOM-based allowlist approach. Alternatively, SVG files can be served with a 'Content-Disposition: attachment' header to prevent inline rendering.